(command.CommandList
  children: [
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:tid)
          op: assign_op.Equal
          rhs: {(DQ <'multiple pubkey'>)}
          spids: [7]
        )
      ]
    )
    (C {<rm>} {<-f>} 
      {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> ($ Id.VSub_DollarName '$USER')} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'> <Id.Lit_Star '*'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/user_key'> <Id.Lit_Star '*'>}
    )
    (C {<rm>} {<-f>} 
      {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> ($ Id.VSub_DollarName '$USER')} {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key'> <Id.Lit_Star '*'>}
    )
    (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.orig'>}
    )
    (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy.orig'>}
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/user_key2'>}
        )
        (C {<fatal>} {(DQ <'ssh-keygen failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$OBJ') <'/user_ca_key'>} 
          {<-I>} {(DQ <'regress user key for '> ($ Id.VSub_DollarName '$USER'))} {<-z>} {($ Id.VSub_Dollar '$$')} {<-n>} 
          {(${ Id.VSub_Name USER) <Id.Lit_Comma ','> <mekmitasdigoat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>}
        )
        (C {<fail>} {(DQ <'couldn\'t sign user_key1'>)})
      ]
    )
    (C {<mv>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1-cert.pub'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key1.pub'>}
    )
    (C {<cp>} {<-p>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/cert_user_key1'>}
    )
    (command.Simple
      words: [{<grep>} {<-v>} {<IdentityFile>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy.orig'>}]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
        )
      ]
      do_fork: T
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:opts)
          op: assign_op.Equal
          rhs: 
            {
              (DQ <'-oProtocol=2 -F '> ($ Id.VSub_DollarName '$OBJ') 
                <'/ssh_proxy -oIdentitiesOnly=yes'>
              )
            }
          spids: [239]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:opts)
          op: assign_op.Equal
          rhs: 
            {
              (DQ ($ Id.VSub_DollarName '$opts') <' -i '> ($ Id.VSub_DollarName '$OBJ') 
                <'/cert_user_key1 -i '> ($ Id.VSub_DollarName '$OBJ') <'/user_key1 -i '> ($ Id.VSub_DollarName '$OBJ') <'/user_key2'>
              )
            }
          spids: [246]
        )
      ]
    )
    (command.ForEach
      iter_name: privsep
      iter_words: [{<no>} {<yes>}]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (command.Subshell
              child: 
                (command.CommandList
                  children: [
                    (C {<grep>} {<-v>} {(DQ <Protocol>)} 
                      {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy.orig'>}
                    )
                    (C {<echo>} {(DQ <'Protocol 2'>)})
                    (C {<echo>} {(DQ <'UsePrivilegeSeparation '> ($ Id.VSub_DollarName '$privsep'))})
                    (C {<echo>} {(DQ <'AuthenticationMethods publickey,publickey'>)})
                    (C {<echo>} 
                      {(DQ <'TrustedUserCAKeys '> ($ Id.VSub_DollarName '$OBJ') <'/user_ca_key.pub'>)}
                    )
                    (C {<echo>} 
                      {
                        (DQ <'AuthorizedPrincipalsFile '> ($ Id.VSub_DollarName '$OBJ') 
                          <'/authorized_principals_%u'>
                        )
                      }
                    )
                  ]
                )
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                )
              ]
            )
            (C {<rm>} {<-f>} 
              {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                ($ Id.VSub_DollarName '$USER')
              }
            )
            (command.Simple
              words: [{<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1.pub'>}]
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: 
                    {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> 
                      ($ Id.VSub_DollarName '$USER')
                    }
                )
              ]
              do_fork: T
            )
            (command.AndOr
              ops: [Id.Op_DAmp]
              children: [
                (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<proxy>} {<true>})
                (C {<fail>} {(DQ <'ssh succeeded with key'>)})
              ]
            )
            (command.Simple
              words: [{<echo>} {<mekmitasdigoat>}]
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: 
                    {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                      ($ Id.VSub_DollarName '$USER')
                    }
                )
              ]
              do_fork: T
            )
            (command.Simple
              words: [{<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key1.pub'>}]
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: 
                    {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> 
                      ($ Id.VSub_DollarName '$USER')
                    }
                )
              ]
              do_fork: T
            )
            (command.AndOr
              ops: [Id.Op_DAmp]
              children: [
                (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<proxy>} {<true>})
                (C {<fail>} {(DQ <'ssh succeeded with key+cert'>)})
              ]
            )
            (C {<rm>} {<-f>} 
              {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                ($ Id.VSub_DollarName '$USER')
              }
            )
            (command.Simple
              words: [
                {<cat>}
                {($ Id.VSub_DollarName '$OBJ') <'/user_key1.pub'>}
                {($ Id.VSub_DollarName '$OBJ') <'/user_key2.pub'>}
              ]
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: 
                    {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> 
                      ($ Id.VSub_DollarName '$USER')
                    }
                )
              ]
              do_fork: T
            )
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<proxy>} {<true>})
                (C {<fail>} {(DQ <'ssh failed with multiple keys'>)})
              ]
            )
            (command.Simple
              words: [{<echo>} {<mekmitasdigoat>}]
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: 
                    {($ Id.VSub_DollarName '$OBJ') <'/authorized_principals_'> 
                      ($ Id.VSub_DollarName '$USER')
                    }
                )
              ]
              do_fork: T
            )
            (command.Simple
              words: [{<cat>} {($ Id.VSub_DollarName '$OBJ') <'/user_key2.pub'>}]
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: 
                    {($ Id.VSub_DollarName '$OBJ') <'/authorized_keys_'> 
                      ($ Id.VSub_DollarName '$USER')
                    }
                )
              ]
              do_fork: T
            )
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSH)} {($ Id.VSub_DollarName '$opts')} {<proxy>} {<true>})
                (C {<fail>} {(DQ <'ssh failed with key/cert'>)})
              ]
            )
          ]
        )
    )
  ]
)